Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <e099b2d21c5febadcb4de930cd5cffacbd08f41a.camel@decadent.org.uk>
Date: Sun, 05 Aug 2018 21:36:09 +0800
From: Ben Hutchings <ben@...adent.org.uk>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Antonio Diaz Diaz <antonio@....org>
Subject: Heap-based buffer overflow in zutils zcat

A heap-based buffer overflow (CWE-122) was discovered in the zutils
implementation of zcat.  It is apparently possible only if the -v
option, or one of the other options that implies -v, is used.

This seems to have been first discovered in 2016 as a result of
interaction between initramfs-tools and zutils, but was initially
thought to be a bug in the gzip implementation of zcat:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1507443
https://bugs.debian.org/815915

It was eventually reported to the zutils upstream developer (Antonio
Diaz Diaz, cc'd) in the last few weeks and was fixed in version
1.8-pre2.  This was announced in:
https://lists.nongnu.org/archive/html/zutils-bug/2018-08/msg00000.html

I will request a CVE ID for this.

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that
there are so many of them.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.